emotet | cb592f2f6fa4c21fc856975c02b08f1c27c79fbaf272094be141161736ef9ce4

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 07:58

Target

558.exe
Size

651KB
MD5

afa2067921f77071f9c5c8e6b1d39fa1
SHA1

c51148928853c817743940ccae78a2ebd5c6b57c
SHA256

94c6630242c00d8d5498d6e80258b1fa991e17d799dbcd57ae154b0c9b65079b
SHA512

7768927ca5b6170ab4372b19a511c6eafb69d9038a04e90e463a10da9847bff1f3a1cb89dbabc775ea9b6faf920a19442a58bf06b92b62d178e0ee9168c611cf
SSDEEP

6144:gi4ug3aC+4ZNFJjrRqMG93xCmBDYG++mDhsN7J6Nyyxo:gi43azCDJfRc93xCkDSDaF8Nyqo

Score

10^/10

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1308	558.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 1308	996	558.exe	84
PID 996 wrote to memory of 1308	996	558.exe	84
PID 996 wrote to memory of 1308	996	558.exe	84
PID 1412 wrote to memory of 2316	1412	srvwfp.exe	88
PID 1412 wrote to memory of 2316	1412	srvwfp.exe	88
PID 1412 wrote to memory of 2316	1412	srvwfp.exe	88

C:\Windows\SysWOW64\srvwfp.exe
"C:\Windows\SysWOW64\srvwfp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Windows\SysWOW64\srvwfp.exe
  "C:\Windows\SysWOW64\srvwfp.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2316

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/996-2-0x0000000000D1C000-0x0000000000D20000-memory.dmp

Filesize
16KB

Download
memory/996-3-0x0000000000CD0000-0x0000000000D84000-memory.dmp

Filesize
720KB

Download
memory/996-0-0x0000000000CD0000-0x0000000000D84000-memory.dmp

Filesize
720KB

Download
memory/1308-21-0x0000000000CD0000-0x0000000000D84000-memory.dmp

Filesize
720KB

Download
memory/1308-5-0x0000000000CD0000-0x0000000000D84000-memory.dmp

Filesize
720KB

Download
memory/1308-8-0x0000000000CD0000-0x0000000000D84000-memory.dmp

Filesize
720KB

Download
memory/1308-9-0x0000000000CD0000-0x0000000000D84000-memory.dmp

Filesize
720KB

Download
memory/1412-10-0x0000000000CD0000-0x0000000000D84000-memory.dmp

Filesize
720KB

Download
memory/1412-13-0x0000000000CD0000-0x0000000000D84000-memory.dmp

Filesize
720KB

Download
memory/2316-16-0x0000000000CD0000-0x0000000000D84000-memory.dmp

Filesize
720KB

Download
memory/2316-19-0x0000000000CD0000-0x0000000000D84000-memory.dmp

Filesize
720KB

Download
memory/2316-22-0x0000000000CD0000-0x0000000000D84000-memory.dmp

Filesize
720KB

Download
memory/2316-23-0x0000000000CD0000-0x0000000000D84000-memory.dmp

Filesize
720KB

Download
memory/2316-25-0x0000000000CD0000-0x0000000000D84000-memory.dmp

Filesize
720KB

Download
memory/2316-27-0x0000000000CD0000-0x0000000000D84000-memory.dmp

Filesize
720KB

Download
memory/2316-29-0x0000000000CD0000-0x0000000000D84000-memory.dmp

Filesize
720KB

Download